Win a copy of Java Concurrency Live Lessons this week in the Threads forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Changing URL having long characters  RSS feed

 
Farakh khan
Ranch Hand
Posts: 833
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I want to get advise as to how can I change www.example.com/servlet/Categories?option=1 to for example as follow:



How can I append extra random characters with my URL?

Thanks in anitcipation
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For what purpose? Why random characters? We need to know something about what you are actually trying to accomplish.
 
Farakh khan
Ranch Hand
Posts: 833
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to encrypt and then decrypt my URL in the way that end user doesn't understand what parameters I am getting in the URL for security purpose
 
Paul Clapham
Sheriff
Posts: 22185
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let's try to clarify that goal a bit. Do you want that encryption to be done by the client, presumably a browser, so that the request sent from the client will contain encrypted parameters?

And also: why do you want to do that? Just saying "for security purpose" isn't very helpful -- security features should be directed against specific threats. What threats are you concerned about?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What Paul said.

Additionally, security must come from the server. If you do not want to expose id values and such in the UI, then they should be encrypted before being sent to the client, which can use them to send them back in URLs in already-encrypted form. There's little to be gained from encrypting path parameters or request parameter names.

If anyone can type a URL into their browser and do something on your system that they are not supposed to, the security problem is on the server and not in the URLs or in the client code.

For example, let's say I type in something like: http://your.system.com/users/213456?command=delete

And let's say this is the URL to tell the system to delete user 213456. Regardless of whether 213456 is an encrypted value or not, if the system lets me do this if I do not have permissions to do so, then your server-side code has insufficient security.

Security should not be through obfuscation, but through thorough authentication and authorization checking. Note: authentication and authorization are not the same thing.

 
Farakh khan
Ranch Hand
Posts: 833
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for both favorable replies.

You are right security must be applied to server side but I have another scenario as well. I have written a program 5 years ago and the options sets to display contents e.g. http://my.mywebsite.com?option=1 //2,3,4,5
option=1 is displaying news, option=2 displaying buy, option=3 displaying sells leads and so on and so forth.
 
Paul Clapham
Sheriff
Posts: 22185
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Farakh khan wrote:You are right security must be applied to server side but I have another scenario as well. I have written a program 5 years ago and the options sets to display contents e.g. http://my.mywebsite.com?option=1 //2,3,4,5
option=1 is displaying news, option=2 displaying buy, option=3 displaying sells leads and so on and so forth.


And so? What's the security threat involved with somebody knowing that?
 
Farakh khan
Ranch Hand
Posts: 833
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. It seems to me odd
2. Security threat I was talking for another website that is accepting payments on a website. I am passing contact info of the customer with card credentials to the bank gateway.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. It's not that odd; old-fashioned perhaps.

2. Use SSL and POST. You don't want that info on the URL, and you certainly don't want it passed in clear text even in the response body.
 
Paul Clapham
Sheriff
Posts: 22185
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Farakh khan wrote:2. Security threat I was talking for another website that is accepting payments on a website. I am passing contact info of the customer with card credentials to the bank gateway.


Now that's a better example. The way you encrypt that data is to use SSL, i.e. to use an https: URL instead of an http: URL. Under no circumstances should you try to write your own code to encrypt it, because your code won't be secure.
 
Farakh khan
Ranch Hand
Posts: 833
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks again for your reply

1) Is URL encryption and decryption will not help in this case?
2) https auto encrypt and decrypt. The question is why I can not encrypt or decrypt it manually
 
Paul Clapham
Sheriff
Posts: 22185
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Farakh khan wrote:2) https auto encrypt and decrypt. The question is why I can not encrypt or decrypt it manually


Because your encryption won't be secure. SSL was designed by people who are competent cryptographers, so there's a reasonable chance it won't be broken. But you aren't a competent cryptographer so your encryption would easily be broken.
 
Farakh khan
Ranch Hand
Posts: 833
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your great advise!!

Frankly speaking I not yet worked on https protocol. from where I can start?

Best regards
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
 
Paul Clapham
Sheriff
Posts: 22185
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Clapham wrote:But you aren't a competent cryptographer...


... so let's suppose you decided to put in the time to become a competent cryptographer. Once you do that, your question is going to be "So why should I reinvent SSL anyway?" There are possible reasons for that, including being able to write a PhD thesis on a topic in cryptography for example, but none of those reasons apply to your bank's need to keep your credit card number secure.

All that, of course, should be suffixed by "... as far as I know" because I'm not a competent cryptographer either.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!